Federal executive branch agencies have until the end of the year to secure all public-facing websites with encrypted HTTPS (Hypertext Transfer Protocol Secure) connections, but nearly half of federal sites remained unprotected. This is not surprising given the level of compliance with most federal IT mandates, but the HTTPS-only standard should be achievable for most agencies, says on industry observer.
“This is one of the easier green check-boxes,” said Tom Ruff, public sector VP for the content delivery company Akamai.
The mandate was issued by Federal CIO Tony Scott in June 2015, declaring that the new government standard for privacy was that “all browsing activity should be considered private and sensitive.”
Standard unencrypted HTTP connections can expose data exchanged between clients and web servers, and provide no assurance of the identity of the websites being accessed. HTTPS is becoming an industry best practice for providing this security in online activities, and the mandate is intended to encourage its use in the private sector as well as in government. “Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public,” the memo says.
HTTPS adds Transport Layer Security (TLS) to the Hypertext Transfer Protocol (HTTP), using digital certificates to verify the identity of websites that are being contacted and encrypting traffic between the server and client. This makes it more difficult for sites to be spoofed and protects data in transit. But it is not a complete security solution. It guarantees the integrity of the connection between systems, but not the systems themselves. It does not protect the systems from attacks by hackers.
But because HTTPS is economical—both in terms of cost and effort to implement and in computational overhead—it is a relatively cheap way to get good, if not perfect, privacy.
The secure protocol already was in use in some government sites, primarily those containing sensitive information or handling transactions. Ruff, whose company delivers online content for 14 of 15 cabinet-level agencies, said that before the mandate about 30 percent of sites were using HTTPS. The latest survey of more than 1,100 sites by the Federal CIO Council, done Aug. 5, found 52 percent supported HTTPS.
For many agencies using a content delivery or other service providers, turning on HTTPS in the cloud is a simple matter. And many service providers can manage digital certificates, which can be a significant task in implementing and maintaining the secure protocol. But although HTTPS might be relatively economical and easy to deploy, it is not free.
“Implementing an HTTPS-only standard does not come without a cost,” the memo acknowledges. These include identifying assets and planning for deployment as well as the financial cost of procuring a certificate and the administrative burden of maintenance.
Mixed content from external resources also must be managed. When this content is being loaded onto a HTTPS site, many browsers will not display it if it comes from an unsecured source. For some sites, updating, replacing or removing references to these unsecured resources can be the most time-consuming part of the migration.
The relatively low percentage of sites that implemented HTTPS does not mean that progress is not being made. The mandate calls for agencies to prioritize deployment of the protocol based on risk, and Ruff says this appears to be happening. Many sites with sensitive personal data or on which transactions are conducted now are protected, while static public information sites hosting only “brochure-ware” are being left for later.
Still, later isn’t very far off; it is only a little more than four months to the Dec. 31 deadline. Realistically, we are not likely to see 100 percent compliance by then, but agencies should make the effort to ensure that sensitive information and transactions are being protected.